Friday, September 20, 2013

Mobile Defender - the last line of protection

Having studied malware delivered by spam for the past seven years, it is a fairly rare event for me to be amazed by something new, but that is exactly what happened today thanks to a new finding by Brendan Griffin, the lead author of Malcovery's Today's Top Threats report.

In yesterday's report, Malcovery customers were informed of a prevalent spam email that used the subject lines:

Voice Message Notification

1 New Voicemail(s)

2 New Voicemail(s)

3 New Voicemail(s)

4 New Voicemail(s)

5 New Voicemail(s)

6 New Voicemail(s)

When the spam messages from this campaign are rendered in an HTML mail viewer, the received message looks like this:

For a Windows user who clicks on the link, the malware calculates a location and drops a .zip file to the visitor with a name appropriate for thier location. For example, in yesterday's T3 Report, Brendan documented the behavior of a file he received from "bhaktapurtravel.com.np" that was named "VoiceMail_Birmingham_(205)4581400.zip".

At the time of Brendan's review, only 6 of 48 Antivirus vendors detected the .zip file as malicious according to this VirusTotal Report for zip.

The unpacked file, which used an icon displaying a musical note on a sheet of paper, fared little better, with only 7 of 48 detections as shown in this Virus Total Report for exe.

Twenty-four hours later, that detection is up to 21 of 48 detections, with several vendors (AntiVir, DrWeb, Microsoft) calling the malware "Kuluoz" while BitDefender, EmSoft, and F-Secure prefer the name "Symmi".

Android Version?

Given that the email message was claiming to be from an Android application called "WhatsApp", Brendan revisited the link, using a User-Agent string that would be commonly associated with an Android-based browser.

Instead of receiving an .exe file, when using the Android emulation mode, Malcovery received *AND INSTALLED* a file called "WhatsApp.apk".
Examining the code, Brendan found bilingual messages in Russian and English that seemed to be indicating that various malware packages had been found on his phone. Here's one example, that seems to claim the presence of Downad/Conficker:

The Android malware, which had the MD5: 5290df867914473426b82233567c03af, was much better detected by AV engines ...

At first glance, that seems quite encouraging! But think about it more. What possible good does it do you to have AVG, ESET, F-Secure, Kaspersky, and Trend Micro telling you that this APK file is hostile? You certainly aren't running any of their Anti-virus products on your Android phone, are you?

Brendan decided it was time to put this malware into a true Android phone, and received some shocking results, shown below!

First, the Android App pretends to scan your phone for malware . . .

And then, it asks you for your credit card information in order to buy the "Mobile Defender" application to protect your phone!

We were amused by the "Lifetime Software License" which offers a 60% discount. I wonder how many years they expect us to live to calculate that discount! Hopefully they are referring to the lifetime of their malware, rather than us or our phone!

Historical FakeAV Scams

We certainly have been talking about Fake AV for a long time! Here are some of our previous articles on the subject, dating all the way back to 2008 -- but this Fake AV on Android Phones was a first for us, especially in such a prominent spam campaign!

Sites seen in spam with either "info.php" or "app.php" malware links

Each of the sites below was found in spam in the Malcovery Spam Data Mine, either with an "app.php" path, such as "/app.php?message=7nof02WSsCV044njNqRS+F1mNBPcaaHD7u7VE/2vY7c=" or an "info.php" path such as "/app.php?message=NaZNY1tYTjYL5u0C/rimmNLlnDKRleqTEBJme/hthH4="

We believe that each of the sites below was compromised to allow the criminals to insert the "app.php" or "info.php" file on their system.

At this time, we are unsure whether the "localization" seen on the Windows version of this malware is based on geolocation of the infected computer's IP address, or whether the parameter passed in the URL contains an encoding of the user's location. Every URL observed had a unique string in the "message=" portion.